Forum Discussion
MSI Elevated privilege request
Hi, I have been using Intune to try and stop staff being able to install without entering Admin Credentials, it is working for .exe as each user is a standard user, but whatever I try for .msi fi...
Rudy_Ooms_MVP Hi, no this is the problem, I am trying to lock it down so they can't install anything without Admin Credentials, unless it's in the portal, but when I turn on the settings it is stopping installation of Microsoft Teams and Adobe Reader when re-installing machines using autopilot and intune to deploy them.
I have autopilot set to create users as standard accounts when the machine is setup, so .exe installs are asking for Credentials when run, but .msi files aren't
Hi.. Ah good 🙂 nice to hear !.. Can you tell me which setting you are configuring to make sure your users can't install anything? or are you referring to the autopilot? normally when you push down an installation from Intune and it;s configured to run as system there would be no problem at all
Hi,
These are the settings I have currently, I have tried various combinations and they either stop everything and don't prompt for Admin Credentials, don't block anything, or they work but stop intune pushing apps on install. They are set to system installations so not sure what is the issue, all of Office installs, but Teams, disable this policy and Teams installs but .msi files can run
Microsoft Defender Exploit GuardFlag credential stealing from the Windows local security authority subsystemEnableProcess creation from Adobe Reader (beta)EnableOffice apps injecting into other processes (no exceptions)BlockOffice apps/macros creating executable contentBlockOffice apps launching child processesBlockWin32 imports from Office macro codeBlockProcess creation from Office communication products (beta)EnableObfuscated js/vbs/ps/macro codeBlockjs/vbs executing payload downloaded from Internet (no exceptions)BlockProcess creation from PSExec and WMI commandsBlockUntrusted and unsigned processes that run from USBBlockExecutables that don’t meet a prevalence, age, or trusted list criteriaBlockExecution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)BlockAdvanced ransomware protectionEnableNetwork protectionDisableMicrosoft Defender Application ControlApplication control code integrity policies:EnforceTrust apps with good reputation:Enablebecause we are only a small organisation I have set the policies on the machines individually in the past using the local admin account, but due to us now requiring to be Cyber Essentials Plus certified this is going to be a nightmare next year when we renew it as any changes I will have to call all the machines in and adjust the policies individually, so thought Endpoint would be a nice way of setting things up, but it has been a while since I have done server/network stuff of this level.My end goal is first off making sure all the machines are protected and secure, after that I want to be able to push the apps required through Company Portal, prompt all other installations to require Admin Credentials, stop any .exe file from running from the desktop/downloads etc, and set the default apps for Mail and PDF. After that I will look into what else can be applied and managed, but for now I don't want to over complicate things.So far I have managed to stop autorun/autoplay, set the default apps, and stop .exe installation, and prompt for Admin Credentials when trying to run CMD/Powershell, so some bits are done- Hi.
The asr rules look pretty good... please beware of this one: Executables that don’t meet a prevalence, age, or trusted list criteria
It can sometimes screw some things up!
And just enabling application guard with this setting
Microsoft Defender Application Control
Application control code integrity policies:
Enforce
Trust apps with good reputation:
Enable
Is not my cup of tea... I would rather start with applocker. I have done a blog/serie about endpoint protection... wdac/mdac is of course one of them! When you have configured it like you did.... a lot of stuff and I mean a lot of stuff will be blocked
https://call4cloud.nl/2021/06/wdac-or-the-unexpected-virtue-of-ignorance/- I will have a read of your blogs, I guess Endpoint/Intune as it is now is pretty new as there are a lot of settings you can't do from it's preselect options and have to make custom policies and import them